Re: [Freeipa-devel] [Testplan] Support of UPN for trusted domains
On Mon, Jul 11, 2016 at 09:44:46AM +0200, Lenka Doudova wrote: > > > On 07/07/2016 11:13 AM, Sumit Bose wrote: > > On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote: > > > On Fri, 27 May 2016, Sumit Bose wrote: > > > > On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote: > > > > > Hi all, > > > > > > > > > > > > > > > here [1] is a draft of test plan for V4 RFE Support of UPN for trusted > > > > > domains. > > > > > > > > > > Please review this and let me know if there's something missing or > > > > > wrong. > > > > Hi Lenka, > > > > > > > > thank you for the test plan. > > > > > > > > About the TBD, Alexander and I agreed to store the alternative domain > > > > suffixes read from AD in a new attribute in the LDAP object of the > > > > forest root of the trusted domain. > > > > > > > > About the kinit tests. Please note that it is expected that the -E > > > > option of kinit must be used when alternative suffixes are used. > > > > > > > > I'm not sure if SSSD tests are in the scope here as well. If they are I > > > > would suggest to add authentication tests with SSSD where e.g. the name > > > > with an alternative domain suffix is used as login name. This in general > > > > already works with SSSD but is disabled by default for IPA because of > > > > the missing server-side support so far. Since SSSD must be able to work > > > > with old and new IPA server https://fedorahosted.org/sssd/ticket/3018 > > > > was created so that SSSD can detect at runtime if the server supports > > > > this or not. > > > Right, I think we should make sure SSSD is tested against IPA UPN > > > support because otherwise we might get regressions. > > Hi Lenka, > > > > I would like to ask you to add test where 'kinit -E' is used with an IPA > > user as well to avoid regression, because currently 'kinit -E > > ipauser@IPA.DOMAIN' does not work. > > > > Please note that the full principal must be used with kinit in this case > > because when just using > > > > kinit -E ipauser > > > > kinit is smart enough to see that it makes no sense to add the > > default_realm twice and internally just does 'kinit ipauser@IPA.DOMAIN'. > > > > If you think this test is better suited in a different test plan please > > let me know, then I'll ask there. > > > > bye, > > Sumit > Hi Sumit, > > this test should be covered in basic trust test suite, but I think it's not > in the code of the test (I was busy with providing coverage for new features > and didn't manage to go through old coverage). I'll check this and update > ASAP. > > Thanks for catching it! Thank you for taking care of it. bye, Sumit > Lenka > > > > > > > -- > > > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan] Support of UPN for trusted domains
On 07/07/2016 11:13 AM, Sumit Bose wrote: On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote: On Fri, 27 May 2016, Sumit Bose wrote: On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote: Hi all, here [1] is a draft of test plan for V4 RFE Support of UPN for trusted domains. Please review this and let me know if there's something missing or wrong. Hi Lenka, thank you for the test plan. About the TBD, Alexander and I agreed to store the alternative domain suffixes read from AD in a new attribute in the LDAP object of the forest root of the trusted domain. About the kinit tests. Please note that it is expected that the -E option of kinit must be used when alternative suffixes are used. I'm not sure if SSSD tests are in the scope here as well. If they are I would suggest to add authentication tests with SSSD where e.g. the name with an alternative domain suffix is used as login name. This in general already works with SSSD but is disabled by default for IPA because of the missing server-side support so far. Since SSSD must be able to work with old and new IPA server https://fedorahosted.org/sssd/ticket/3018 was created so that SSSD can detect at runtime if the server supports this or not. Right, I think we should make sure SSSD is tested against IPA UPN support because otherwise we might get regressions. Hi Lenka, I would like to ask you to add test where 'kinit -E' is used with an IPA user as well to avoid regression, because currently 'kinit -E ipauser@IPA.DOMAIN' does not work. Please note that the full principal must be used with kinit in this case because when just using kinit -E ipauser kinit is smart enough to see that it makes no sense to add the default_realm twice and internally just does 'kinit ipauser@IPA.DOMAIN'. If you think this test is better suited in a different test plan please let me know, then I'll ask there. bye, Sumit Hi Sumit, this test should be covered in basic trust test suite, but I think it's not in the code of the test (I was busy with providing coverage for new features and didn't manage to go through old coverage). I'll check this and update ASAP. Thanks for catching it! Lenka -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan] Support of UPN for trusted domains
On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote: > On Fri, 27 May 2016, Sumit Bose wrote: > > On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote: > > > Hi all, > > > > > > > > > here [1] is a draft of test plan for V4 RFE Support of UPN for trusted > > > domains. > > > > > > Please review this and let me know if there's something missing or wrong. > > > > Hi Lenka, > > > > thank you for the test plan. > > > > About the TBD, Alexander and I agreed to store the alternative domain > > suffixes read from AD in a new attribute in the LDAP object of the > > forest root of the trusted domain. > > > > About the kinit tests. Please note that it is expected that the -E > > option of kinit must be used when alternative suffixes are used. > > > > I'm not sure if SSSD tests are in the scope here as well. If they are I > > would suggest to add authentication tests with SSSD where e.g. the name > > with an alternative domain suffix is used as login name. This in general > > already works with SSSD but is disabled by default for IPA because of > > the missing server-side support so far. Since SSSD must be able to work > > with old and new IPA server https://fedorahosted.org/sssd/ticket/3018 > > was created so that SSSD can detect at runtime if the server supports > > this or not. > Right, I think we should make sure SSSD is tested against IPA UPN > support because otherwise we might get regressions. Hi Lenka, I would like to ask you to add test where 'kinit -E' is used with an IPA user as well to avoid regression, because currently 'kinit -E ipauser@IPA.DOMAIN' does not work. Please note that the full principal must be used with kinit in this case because when just using kinit -E ipauser kinit is smart enough to see that it makes no sense to add the default_realm twice and internally just does 'kinit ipauser@IPA.DOMAIN'. If you think this test is better suited in a different test plan please let me know, then I'll ask there. bye, Sumit > > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan] Support of UPN for trusted domains
On Fri, 27 May 2016, Sumit Bose wrote: On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote: Hi all, here [1] is a draft of test plan for V4 RFE Support of UPN for trusted domains. Please review this and let me know if there's something missing or wrong. Hi Lenka, thank you for the test plan. About the TBD, Alexander and I agreed to store the alternative domain suffixes read from AD in a new attribute in the LDAP object of the forest root of the trusted domain. About the kinit tests. Please note that it is expected that the -E option of kinit must be used when alternative suffixes are used. I'm not sure if SSSD tests are in the scope here as well. If they are I would suggest to add authentication tests with SSSD where e.g. the name with an alternative domain suffix is used as login name. This in general already works with SSSD but is disabled by default for IPA because of the missing server-side support so far. Since SSSD must be able to work with old and new IPA server https://fedorahosted.org/sssd/ticket/3018 was created so that SSSD can detect at runtime if the server supports this or not. Right, I think we should make sure SSSD is tested against IPA UPN support because otherwise we might get regressions. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan] Support of UPN for trusted domains
On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote: > Hi all, > > > here [1] is a draft of test plan for V4 RFE Support of UPN for trusted > domains. > > Please review this and let me know if there's something missing or wrong. Hi Lenka, thank you for the test plan. About the TBD, Alexander and I agreed to store the alternative domain suffixes read from AD in a new attribute in the LDAP object of the forest root of the trusted domain. About the kinit tests. Please note that it is expected that the -E option of kinit must be used when alternative suffixes are used. I'm not sure if SSSD tests are in the scope here as well. If they are I would suggest to add authentication tests with SSSD where e.g. the name with an alternative domain suffix is used as login name. This in general already works with SSSD but is disabled by default for IPA because of the missing server-side support so far. Since SSSD must be able to work with old and new IPA server https://fedorahosted.org/sssd/ticket/3018 was created so that SSSD can detect at runtime if the server supports this or not. bye, Sumit > > > Thanks, > > Lenka > > > [1] > http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains/Test_Plan > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
